-
Notifications
You must be signed in to change notification settings - Fork 159
Using Permissions
Within your application the permission claim is available for the current user via the ClaimsPrincipal, which is in the HTTP context under the property User - See this section for a diagram. This claim can be used in three ways to control access to features in your application.
The [HasPermission] attribute works with best with:
- ASP.NET CoreWeb API Controllers - see this example.
- ASP.NET Core MVC Controllers - see this example.
- ASP.NET Core Razor Pages - see this example.
Here is a example taken from Example2’s WeatherForecastController, which is Web API controller – see the first line.
[HasPermission(PermissionEnum.ReadWeather)]
[HttpGet]
public IEnumerable<WeatherForecast> Get()
{
//… other code left out
}The other approach is to use the HasPermission extension method, which returns a true if the current user has the specific permission you are looking for. This is more versatile, but you have to write more code. This works best on:
- Within Razor pages to control whether a feature should be displayed - see this example.
- Inside Razor Page methods or Controller actions - see this Razor Page example
- In Blazor front-end code, e.g.,
@context.User.HasPermission(Example.SalesRead)will return true if the current user has that permission.
Here is an example taken from AuthP’s Example1 Razor Pages application.
public class SalesReadModel : PageModel
{
public IActionResult OnGet()
{
if (!User.HasPermission(Example1Permissions.SalesRead))
return Challenge();
return Page();
}
}If you are using a front-end library such as React, Angular, Vue and so on, then your front-end needs to know what Permissions the current user has so that the front-end can display the links, buttons etc. that the current user has access to. If you need this you need to set up a WebAPI that will return the current user's permissions.
The IUsersPermissionsService service has a method called PermissionsFromUser which returns a list of the Permission names for the current user (or null if no one is logged in or the user is not registered as an AuthUser). The code below comes from Example2's AuthenticateController.
/// <summary>
/// This returns the permission names for the current user (or null if not available)
/// </summary>
/// <param name="service"></param>
/// <returns></returns>
[HttpGet]
[Route("getuserpermissions")]
public ActionResult<List<string>> GetUsersPermissions([FromServices] IUsersPermissionsService service)
{
return service.PermissionsFromUser(User);
}NOTE: You only need to read this one login if using Cookie Authentication, and after login and refresh of a JWT Token. Thats because the user's permissions are recalculated at these points.
- Intro to multi-tenants (ASP.NET video)
- Articles in date order:
- 0. Improved Roles/Permissions
- 1. Setting up the database
- 2. Admin: adding users and tenants
- 3. Versioning your app
- 4. Hierarchical multi-tenant
- 5. Advanced technique with claims
- 6. Sharding multi-tenant setup
- 7. Three ways to add new users
- 8. The design of the sharding data
- 9. Down for maintenance article
- 10: Three ways to refresh claims
- 11. Features of Multilingual service
- 12. Custom databases - Part1
- Videos (old)
- Authentication explained
- Permissions explained
- Roles explained
- AuthUser explained
- Multi tenant explained
- Sharding explained
- How AuthP handles sharding
- How AuthP handles errors
- Languages & cultures explained
- JWT Token refresh explained
- Setup Permissions
- Setup Authentication
- Startup code
- Setup the custom database feature
- JWT Token configuration
- Multi tenant configuration
- Using Permissions
- Using JWT Tokens
- Creating a multi-tenant app
- Supporting multiple languages
- Unit Test your AuthP app